Tuesday, January 12, 2010

Many Americans are not familiar with Baidu, but in China its the word people say when we would say Google. Baidu is a Chinese search engine that commands a powerful 60% of the marketplace. And this morning, their website looked liked this:

The white line of Persian text on the website is a statement that reads:

Army of cyber-sites has been established to protest intervention in the internal affairs of our country and broadcast of false and divisive news by Foreigners and Israel.

(with a little word-re-ordering to preserve meaning)

We first heard of the Iranian Cyber Army on December 18th when they attacked Twitter with an almost identical attack. We documented the attack here in our story Who Is the Iranian Cyber Army?.

In today's attack, the nameservers for Baidu were redirected to a small network that caters to "warez" and various piracy and pornography servers. The computer 188.95.49.6 became the address for ns1.baidu.com, ns2.baidu.com, and ns3.baidu.com, and these new "unofficial" nameservers did a wild-card resolution for everything at baidu, pointing it to the same IP address 188.95.49.6.

Later in the morning, that IP address shifted to 188.95.49.19, which is the address which is currently live as of this writing.

Click the image below to see the full unedited version of the original graphic that was posted on the server:

(the original file was named "-1-2.jpg")(The EXIF data indicates that the file was saved using Adobe Photoshop CS4 Windows on December 27, 2009 at 1:41:44 PM.)

There were also two VERY interesting email addresses on the page:

Soldier@CyberArmyOfIran.comand Soldier@IRCArmy.com

The website "cyberarmyofiran.com" is hosted on the Canadian IP address 70.35.29.162, which belongs to "Netfirms Inc".

So what do we know about WarezHost? Here's what their website says about themselves:

Warez-Host is a privately-owned organization located in Dubai, UAE. At Warez-Host, we understand that our customers' web sites are important and they require reliable services to ensure that service is not interrupted. We have established a solid foundation to offer a reliable, easy to use and low cost web hosting solution for small-to-large sized businesses and helping thousands of customers get their web sites online.

Our goal is to provide a low-cost web hosting solution that is easy-to-use, and is customer service oriented. At Warez-Host, we value our customers and recognize their need for quality service and outstanding customer service.

Warez-Host web hosting is the perfect choice for all of your web hosting needs, our datacenters located in Netherlands, IRAN and Germany.

The Dedicated Server pages for each data center explain what types of content you can host on their servers. For example, its ok to host stolen software and movies ("warez") in all three locations, but the Iranian Data Center list (shown below) makes it clear you can't host pornography in Iran - although you can in their German and Netherlands based data centers.

So, if someone wants to get to the bottom of who hacked Baidu, all they have to do is slap a subpoena on the UAE-based company's Iranian data center manager to see who owns this dedicated server and get logs from it.